I have used pest patrol to detect why my homepage is diverted to www.wow.access.com/serach/main.html.
Also when it hides behind "www.microsoet.com/start/php?url=" it diverts yahoo.com & google.com by using this address.
It says the program lies in the file: C:\windows\stsheets.dat , however, this does not show up in windows explorer.
Here are the findings of pest patrol:
Catagory: Hijacker
Author: coolwebsearch.com
Release date: 1/25/05
In FILE: C:\windows\stsheets.dat
PVT: -1323859766
MD5: 482aee62ac99e5064e074670a97f5741
I have ran "NoAdware" it does not detect it at all.
The following is my "Hijack This" log:
Logfile of HijackThis v1.99.1
Scan saved at 8:51:46 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
C:\windows\system32\winpipe.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\secmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-acces...earch/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wow-acces...earch/main.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wow-acces...earch/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-acces...earch/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wow-acces...earch/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-acces...earch/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-acces...earch/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-acces...earch/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-acces...earch/main.html
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [winpipe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\secmon.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware3\NoAdware.exe" /s
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: secmon.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll (file missing)
O13 - DefaultPrefix: http://www.microsoet.../start.php?url=
O13 - WWW Prefix: http://www.microsoet.../start.php?url=
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Any assistance will be greatly appreciated in eradicating this hijacker!!!
Thank-you!